ac0408d0daff20338a32e6bceafceece --> Knight.exe

maliciousbrains · **Posted:** Tue May 06, 2008 11:52 pm

File Name: Knight.exe

File size: 126976 bytes
MD5...: ac0408d0daff20338a32e6bceafceece
SHA1..: 4f4527b01bd9e38451c742f1c3be0cfa4c41d513
SHA256: ddd8a28f59ad375b13b33caad022e0af508f5965f582336385a2a54d6e2f878d
SHA512: 24869ed9ca1edab7cfbcdda493b547304dd341c2063c43b0bd1bb92e6ce2a748
7bb0e07441227a6581e15423ad359e839c1aaff9be9d49f355935ef0b718eb81

VirusTotal Result: 18/31 (58.07%)
AhnLab-V3 2008.5.3.0 2008.05.06 Win32/AutoRun.worm.126976
AntiVir 7.8.0.11 2008.05.06 Worm/Autorun.X.1
Avast 4.8.1169.0 2008.05.05 INF:DiskKnight
AVG 7.5.0.516 2008.05.06 Worm/VB.BVK
BitDefender 7.2 2008.05.06 Trojan.VB.NIM
CAT-QuickHeal 9.50 2008.05.06 Worm.AutoRun.fb
DrWeb 4.44.0.09170 2008.05.06 Win32.HLLW.Autoruner.822
eTrust-Vet 31.3.5763 2008.05.06 Win32/VMalum.JYO
F-Secure 6.70.13260.0 2008.05.06 Virus.Win32.AutoRun.fb
Ikarus T3.1.1.26.0 2008.05.06 Virus.Win32.AutoRun.fb
Kaspersky 7.0.0.125 2008.05.06 Virus.Win32.AutoRun.fb
McAfee 5289 2008.05.06 Generic VB.b
NOD32v2 3079 2008.05.06 probably a variant of Win32/AutoRun.CH
Prevx1 V2 2008.05.06 Malicious Software
Rising 20.43.12.00 2008.05.06 Worm.Win32.VB.ka
Sophos 4.29.0 2008.05.06 Mal/DiskNite-A
VBA32 3.12.6.5 2008.05.06 Virus.Win32.AutoRun.fb
Webwasher-Gateway 6.6.2 2008.05.06 Worm.Autorun.X.1

File Info:
PE Structure information
( base data )
entrypointaddress.: 0x402444
timedatestamp.....: 0x46113e37 (Mon Apr 02 17:32:39 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1a884 0x1b000 5.78 f63c224bf6f43e22be4a27a18b9c0295
.data 0x1c000 0x1f28 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x1e000 0x3087 0x2000 3.47 c1a3f79916f0a8bcf867a0910cd67b27

( 1 imports )
> MSVBVM60.DLL: __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaVarIdiv, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaRaiseEvent, __vbaFreeObjList, -, -, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, -, -, __vbaI2Abs, __vbaCopyBytes, __vbaResume, __vbaStrCat, __vbaError, -, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, -, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaCyErrVar, __vbaVarForInit, __vbaForEachCollObj, __vbaExitProc, __vbaOnError, -, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, -, __vbaForEachCollVar, __vbaBoolVar, -, __vbaStrFixstr, -, __vbaBoolVarNull, __vbaFpR8, _CIsin, -, -, __vbaErase, __vbaVargVarMove, -, -, __vbaNextEachCollObj, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, -, -, __vbaGenerateBoundsError, __vbaCyI2, __vbaExitEachColl, -, __vbaStrCmp, __vbaAryConstruct2, __vbaPutOwner3, __vbaVarTstEq, __vbaCyI4, __vbaNextEachCollVar, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, -, __vbaFpUI1, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaStrUI1, __vbaExceptHandler, -, __vbaPrintFile, -, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, -, __vbaR8ErrVar, -, __vbaFPException, -, __vbaInStrVar, __vbaUbound, __vbaGetOwner3, __vbaStrVarVal, __vbaVarCat, -, __vbaI2Var, -, -, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaR8Str, __vbaVarLateMemCallLdRf, -, __vbaVar2Vec, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, -, _adj_fdivr_m32i, -, __vbaStrCopy, __vbaI4Str, -, __vbaVarNot, __vbaFreeStrList, -, _adj_fdivr_m32, __vbaPowerR8, _adj_fdiv_r, -, -, -, __vbaVarTstNe, __vbaI4Var, __vbaVarCmpEq, __vbaVarAdd, __vbaAryLock, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, __vbaFpI4, -, __vbaVarLateMemCallLd, __vbaRecDestructAnsi, -, _CIatan, __vbaAryCopy, __vbaUI1Str, -, __vbaStrMove, __vbaCastObj, -, _allmul, _CItan, -, __vbaAryUnlock, __vbaUI1Var, __vbaVarForNext, _CIexp, -, __vbaFreeObj, __vbaFreeStr, -

Process Details:
Process ID 1116
Filename C:\knight.exe
Filesize 126976 bytes
MD5 ac0408d0daff20338a32e6bceafceece
Start Reason AnalysisTarget

COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})

Creates Process - Filename (C:\WINDOWS\knight.exe)

New Files
C:\WINDOWS\knight.exe

Opened Files
C:\knight.exe
C:\knight.exe
C:\WINDOWS\knight.exe
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\knight.exe

Chronological order
Open File: C:\knight.exe (OPEN_EXISTING)
Create File: C:\WINDOWS\knight.exe
Open File: C:\knight.exe (OPEN_EXISTING)
Open File: C:\WINDOWS\knight.exe (OPEN_EXISTING)
Set File Time: C:\WINDOWS\knight.exe
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\knight.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\Owner\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\knight.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\knight.exe ()
Find File: knight.exe
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)

Read INI File
C:\Documents and Settings\Owner\My Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Owner\My Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Owner\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Owner\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName =
WINHELP.INI [FILES] .HLP =

Reads
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\HTML Help ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help ""

Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "" = C:\WINDOWS\knight.exe

ac0408d0daff20338a32e6bceafceece --> Knight.exe

Who is online